Module Name: src Committed By: kefren Date: Sat May 16 10:09:20 UTC 2015
Modified Files: src/sys/netinet: tcp_subr.c Log Message: Don't overexpose tcp_iss_secret and don't bother compute it unless RFC1948 compliance is activated To generate a diff of this commit: cvs rdiff -u -r1.260 -r1.261 src/sys/netinet/tcp_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/tcp_subr.c diff -u src/sys/netinet/tcp_subr.c:1.260 src/sys/netinet/tcp_subr.c:1.261 --- src/sys/netinet/tcp_subr.c:1.260 Mon Apr 27 02:59:44 2015 +++ src/sys/netinet/tcp_subr.c Sat May 16 10:09:20 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: tcp_subr.c,v 1.260 2015/04/27 02:59:44 ozaki-r Exp $ */ +/* $NetBSD: tcp_subr.c,v 1.261 2015/05/16 10:09:20 kefren Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.260 2015/04/27 02:59:44 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.261 2015/05/16 10:09:20 kefren Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -2189,7 +2189,6 @@ tcp_rmx_rtt(struct tcpcb *tp) } tcp_seq tcp_iss_seq = 0; /* tcp initial seq # */ -u_int8_t tcp_iss_secret[16]; /* 128 bits; should be plenty */ /* * Get a new sequence value given a tcp control block @@ -2227,23 +2226,25 @@ tcp_new_iss1(void *laddr, void *faddr, u { tcp_seq tcp_iss; + /* RFC1948 specifics */ static bool tcp_iss_gotten_secret; - - /* - * If we haven't been here before, initialize our cryptographic - * hash secret. - */ - if (tcp_iss_gotten_secret == false) { - cprng_strong(kern_cprng, - tcp_iss_secret, sizeof(tcp_iss_secret), 0); - tcp_iss_gotten_secret = true; - } + static u_int8_t tcp_iss_secret[16]; /* 128 bits; should be plenty */ if (tcp_do_rfc1948) { MD5_CTX ctx; u_int8_t hash[16]; /* XXX MD5 knowledge */ /* + * If we haven't been here before, initialize our cryptographic + * hash secret. + */ + if (tcp_iss_gotten_secret == false) { + cprng_strong(kern_cprng, + tcp_iss_secret, sizeof(tcp_iss_secret), 0); + tcp_iss_gotten_secret = true; + } + + /* * Compute the base value of the ISS. It is a hash * of (saddr, sport, daddr, dport, secret). */